The constant progress of communication systems that connect computers, particularly the explosion of the Internet and intranet networks, has resulted in the development of a new information era. With a single personal computer, a user may obtain a connection to the Internet and have direct access to a wide range of resources, including electronic business applications that provide a wide range of information and services. Solutions have been developed for rendering and accessing a huge number of resources. However, as more computers have become interconnected through various networks abuse by malicious computer users has also increased. As a result, there are a number of tools or resources that identify potentially malicious software, generally referred to as malware, have been developed to protect computers from the growing abuse that is occurring on modern networks. As described herein, malware includes, but is certainly not limited to, spyware, ad ware, viruses, Trojans, worms, RootKit, any other computer program, or executable software code that performs actions that are malicious or not desirable to the user.
Malwares can be classified into a malware “family” if they correspond to malware variations originating from one source base and exhibit a set of consistent behaviors. Currently, some anti-malware systems are developed to classify a suspicious or unknown application into a known malware family and therefore recognize an effective way to remove threats based on the previous knowledge of the malware family. One approach may be an automatic malware classification which uses one or more selected undesirable events indicative for a malware family to classify a malware application. However, this conventional automatic malware classification approach may provide only limited protection.
Typically, conventional automatic malware classifications use a static analysis focusing on whether one or more selected undesirable activities have been detected. However, this static analysis does not detect a malware variation which has subtle differences in code flow and data but still sharing common behavior patterns with its malware family. Thus, conventional automatic malware classifications may not yet be able to recognize common behavior patterns across malware variants or compilers and data/code variations within a malware family.